How I’d Use AI Agents in a Security Automation Platform

Disclaimer: Opinions expressed are solely my own and do not reflect the views or opinions of my employer or any other affiliated entities. Any sponsored content featured on this blog is independent and does not imply endorsement by, nor relationship with, my employer or affiliated organisations.

Continuing with the AI agents series, I wanted to dive deeper into practical ways you can leverage AI agents in Security Automation platforms (aka Hyperautomation or SOAR). These platforms aren't new ,many organisations already use them. Some stick with open-source solutions, others develop in-house tools, and a good chunk relies on vendor offerings. I've covered their evolution and history already, so I won’t repeat myself here. Check out the previous blog if you want that backstory.

As I’ve explored AI agent implementations in cybersecurity, I've noticed quite a bit of skepticism, especially around complex setups like multi-agent Retrieval-Augmented Generation (RAG). But the good news is that, for security automation specifically, we usually deal with single-agent RAG setups embedded directly into playbooks, each agent serving a clearly defined purpose. Think of it like those "utility" playbooks that platforms ship pre-built. We rarely use those prebuilt ones because it’s often easier to build from scratch than tweak something complicated. However, AI agents flip this around, they’re actually plug-and-play. You don't have to mess around too much to get them working.

This edition is sponsored by BlinkOps

Before diving into AI agents specifically, let’s quickly review how today’s security automation platforms already use AI:

1. AI Workflow Builders: Most automation platforms include an AI assistant that helps draft automation workflows using simple prompts. But keep an eye on the details:

   • Can you just create automations, or can you also edit, debug, and enhance them using AI?

   • Does it handle complex workflows like multithreading or multiple conditional branches (if-else statements)?

   • Important note: AI-generated workflows usually work well only with prebuilt integrations/actions. Ask it to build something new or unsupported, and you'll usually get a generic API call (if you're lucky).

2. AI Integration Creators: Some platforms now allow you to upload API documentation, and AI will build the integration and list available actions. But watch out:

   • API authentication methods can be tricky. OAuth 2.0, for example, often needs manual tweaking after AI-generated setup.

   • Always test the actions created by AI—things like pagination, limit handling, and even basic variables might need manual corrections.

3. AI Summaries for Alerts and JSON Responses: This one's straightforward and pretty helpful, especially if your automation platform has integrated case management. Gen AI typically excels at summarizing alerts and logs. A nice bonus feature here is AI summaries for debugging or interpreting error messages, which simplifies troubleshooting even on low-code platforms.

Why Use AI Agents in Security Automation?

AI agents bring a new level of intelligence and adaptability to your security automation strategy. Traditional security automation has typically relied on predefined actions and fixed processes. If something changes like APIs, data formats, or even threat behavior these traditional automations often require manual adjustments. AI agents, on the other hand, are dynamic. They continuously adapt to new inputs and learn from previous interactions, significantly reducing maintenance efforts.

Imagine you're creating a playbook to handle an EDR alert. Normally, you start with enrichment: querying different platforms, gathering IOC and asset info, parsing data, and so forth. Sure, you can create a 10-step automation for this (or even a utility playbook), but here's where an AI agent shines. You call the agent specifically designed for enrichment, and it handles the integrations intelligently based on input context. Not only does it provide you with a neatly summarized output, but the best part is—it learns and improves with every run. Traditional methods usually stay static until someone submits a ticket to update them.

Another major advantage of AI agents is their ability to handle complex logic flows with ease. Take a triage classifier agent, for example. Instead of manually defining dozens of rules for prioritizing alerts, the AI agent can dynamically evaluate alert attributes, historical context, and threat intelligence to accurately prioritize and route incidents, saving considerable analyst time.

Understanding Single-Agent Retrieval-Augmented Generation (RAG)

Single-agent RAG combines the power of Large Language Models (LLMs) with external knowledge bases or documentation to enhance responses with contextually relevant information. Simply put, the agent retrieves relevant information from structured data, documentation, or previous interactions, then uses that to generate accurate and contextually meaningful responses or actions.

The single-agent approach is straightforward: one agent is responsible for retrieving and synthesizing information, making decisions, or performing tasks within a defined scope. This simplicity significantly reduces complexity compared to multi-agent systems, where coordinating multiple agents can introduce additional challenges such as conflicting instructions, communication overhead, and unpredictable interactions.

Types of AI Agents in Security Automation

Typically, we’re talking about single-agent RAG setups focused on clear, repeatable tasks. Here are some AI agent roles that would significantly streamline workflows in a security automation platform:

• Malware Analyst Agent: Analyzes suspicious files automatically, providing detailed reports on file behavior.

• IOC Enrichment Agent (Threat Intel specialist): Gathers and enriches indicators from various threat intelligence sources.

• Asset Enrichment Agent: Provides context about affected devices, users, or systems involved in an incident.

• Triage Classifier Agent: Dynamically classifies and prioritizes alerts based on learned patterns.

• Reactive Threat Hunting Agent: Initiates automated threat hunts based on triggers or anomalies detected.

• Identity & Access Manager Agent: Automates verification and remediation of suspicious access requests or privileges.

• Infrastructure Remediation Agent: Automatically remediates known vulnerabilities or security misconfigurations.

• Incident Coordinator Agent: Coordinates incident response activities and escalates critical events to human analysts.

• Security Service Desk Handler Agent: Handles repetitive service requests, freeing analysts for more strategic tasks.

• Report Writer Agent: Automatically generates incident reports, status updates, and compliance documentation.

• Timeline Analysis Agent: Constructs comprehensive incident timelines to assist analysts during investigations.

This list just scratches the surface. You can explore more automation use cases in my earlier blog on Security Automation Types